On Fri, 06 Jun 2025 02:14:57 +0200
Josip Deanovic via Bacula-users <bacula-users@lists.sourceforge.net>
wrote:
Thanks for your reply, Josip
> On Thursday, June 5, 2025 6:01:46 PM CEST Richard Laysell wrote:
> > Hello,
>
> Hello Richard,
>
> > I'm running Bacula 15.0.3 on Linux x64.
>
> I have tested in on 9.x but it should work on 15.x as well.
>
> > I'm trying to get TLS working between director and client. I have
> > created my own CA and have created cerficates for the director and
> > client. However, the client certificate is always rejected by
> > Bacula with either
>
> I would suggest to create certificates for storage daemon as well.
Yes - I will do that at some point but I'm trying to get
client->director working first
>
> What is your goal?
> Do you want to encrypt only the authentication or would you like
> to encrypt the complete communication between Bacula components?
The complete communication
>
> > ERR=26:unsuitable certificate purpose
>
> That means that you are using the certificate with wrong purpose.
> For example, you have created server certificate and you are trying
> to use it for the purpose where client certificate is expected or
> vice versa.
>
> I have attached PDF document containing scheme that could help you
> better visualise and understand what needs to be done.
> Here is the summary of the certificates and their purposes
> (server/client) per Bacula daemons and their resources:
>
> # bacula-dir
> director resource - server
> storage resource - client (used to connect to director resource of
> bacula- sd)
> client resource - client (used to connect to director resource of
> bacula-fd)
>
> # bacula-sd
> storage resource - server
> director resource - server
>
> # bacula-fd
> director resource - server
> filedaemon resource - client (used to connect to storage resource of
> bacula- sd)
>
> # bconsole
> director resource - client (used to connect to director resource of
> bacula- dir)
This is the problem. I AM creating a client certificate for the client
and a server certificate for the server, but Bacula refuses to accept
the client certificate.
I can see it is a client certificate by running the following command
and getting the following output.
$ openssl x509 -in client1.example.com.crt -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Still, Bacula does not accept this certificate and says:
ERR=26:unsuitable certificate purpose
So there is something else wrong with this certificate - but I don't
understand what. Do I need to add other purposes (S/MIME signing etc)
or to remove other purposes? There are so many options and I have
tried working through them and in doing so have generated about 30
different certificates but I have not managed to find one that will
work. It would be good if this was documented somewhere - a clear
description of the purposes which are required or forbidden.
>
> > or
> >
> > ERR=error:0A000413:SSL routines::sslv3 alert unsupported certificate
> >
> > Here is my client configuration for the Director
> > Client
> > {
> > Name = client1-fd
> > Address = client1.example.com
> > FDPort = 9102
> > Catalog = MyCatalog
> > Password = "mypassword"
> > Maximum Concurrent Jobs = 20
> > File Retention = 12 months
> > Job Retention = 12 months
> > TLS Enable = yes
> > TLS Require = yes
> > TLS Authenticate = yes
> > TLS CA Certificate File = /opt/bacula/ssl/example-ca.crt
> > TLS Certificate = /opt/bacula/ssl/bacdir.example.com.crt
> > TLS Key = /opt/bacula/ssl/bacdir.example.com.key
> > }
> >
> > Here is my file daemon configuration for the client
> > Director {
> > Name = bacdir-dir
> > Password = "mypassword"
> > Address = bacdir.example.com
> > TLS Enable = yes
> > TLS Require = yes
> > TLS Verify Peer = yes
> > TLS Authenticate = yes
> > TLS Allowed CN = client1.example.com
> > TLS CA Certificate File = /etc/ssl/example-ca.crt
> > TLS Certificate = /etc/ssl/client1.example.com.crt
> > TLS Key = /etc/ssl/private/client1.example.com.key
> > }
> >
> > Does this configuration look correct? Bacula doesn't complain about
> > the configuration so I think it is OK.
>
> Most of it.
> I am concerned about the option "TLS Authenticate = yes" you are
> using.
>
> Documentation states:
> "Please notice a very important feature of enabling TLS Authenticate
> to your daemons: if you enable the TLS authentication, the TLS
> encryption will be turned off and communication between the daemons
> will be done without Encryption."
>
> So, make sure that this is what you want.
You are right, I do not want that option as I want all of the
communications to be encrypted. I was trying that option in desperation
to try to get it to work.
> Here is the link to the documentation section for your Bacula version:
>
> https://www.bacula.org/15.0.x-manuals/en/main/
> Bacula_TLS_Communications_E.html
I have read the manual multiple times. But it does not explain how to
create a certificate which can be signed by a CA (I have an internal
CA) which works. It gives an example for a self signed certificate
which works partially - only for the outgoing communication
> > What I don't understand is how to create a working client
> > certificate that Bacula will accept.
>
> I have attached the PDF that could help you understand what is needed.
> For example, for bacula-dir, you need three certificates:
> - one server certificate for director resource
> - one client certificate for storage resource
> - one client for client resource
>
> For bacula-sd, you need two certificates:
> - one server certificate for storage resource
> - one server certificate for director resource
>
> For bacula-fd, you need two certificates (they need to be created
> for every single server you want to backup):
> - one server certificate for director resource
> - one client certificate for filedaemon resource
>
> For bacula console, you need one certificate:
> - one client certificate for director resource
>
> Hope this helps.
>
> > I have tried using both easyrsa and ssl-admin to create
> > certificates.
>
> I used openssl when I started to use that feature.
> I also used EJBCA.
> It doesn't matter what tool was used to create the certificates as
> long as they are created using the correct parameters.
>
> > I have followed Dan Langille's advice on this page
> > https://dan.langille.org/2019/11/29/ssl-client-vs-server-certificates-and->
> > bacula-fd/ But, this does not seem to work any more (using
> > ssl-admin and creating a client certificate using option 4 results
> > in 'ERR=26:unsuitable certificate purpose')
>
> I didn't try his procedure not the tool he was using but I guess it
> works as long the parameters for certificates are set as I described.
His procedure is very simple and there are no options other than the
name of the server and if the key should be password protected (I
selected NO for that as Bacula cannot load password protected keys).
It would appear that this procedure doesn't work with newer versions of
ssl-admin.
>
> > Any advice would be most welcome.
>
> Using this Bacula feature is quite confusing without the scheme I have
> attached.
> It is very easy to make mistake.
>
> In the past it took me hours to add few servers to backup.
> I have automated the procedure using Ansible and now it takes few
> seconds. Unfortunately this procedure wouldn't help you because it is
> customized for the environment in the company I currently work for.
>
> If you get stuck and will not be able make it work, could find the
> manual procedures I used in the past (using openssl).
Yes, please let me know how you were creating the certificates using
openssl. I have tried creating a CSR using openssl and then signing
that using easyrsa or ssl-admin but had the same problems.
If you have an existing client certificate which works, please could
you run the following command to see which purposes it has and does not
have.
$ openssl x509 -in <path to cert> -purpose -noout
>
>
> Regards!
>
Regards,
Richard
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
